Go to page

We must have loads of small business owners and sole traders here. What are you guys doing?

Mrs is a Sole Trader with a website. The website has just two forms through which customers can contact her and leave feedback. Otherwise, customers will contact her by phone or directly by email.

Minimal customer information is taken - name, address, phone number(s), email address and any business specifics. That information is held in a spreadsheet and in individual customer knowledge documents.

So, data is gleaned and processed ...

I have followed guidance from the ICO and put together a privacy policy for the website. I've also ensured that the two forms have an acceptance box (not pre-filled) and that this is recorded when the forms send their emails on.

I'm struggling now with some of the specifics and it's not for lack of contacting the ICO. I started with a web chat which was merely updated with links to documents that I've already read and then when I started asking specifics, the chat abruptly ended. Annoyed, I rang them and started to talk through a few scenarios to guided to the same documentation.

1. What do we do with existing data? Granted it falls under the GDPR after May 25th, but does she need to seek new consent from all customers to hold their data (that's simply their names, addresses, phone numbers, email addresses and any details pertinent for providing service).

2. Many Sole Traders have a website. Information that comes in via email and/or web forms is hosted by the website provider. Since data under the GDPR cannot be held outside of the EEA, how are folks tackling their web hosting companies - she's with UK2. The person at the ICO said this was between her and her provider.

3. Likewise, how or where are folks backing up their data? Many will keep their business spreadsheets in and amongst their regular files on their computer. Say they sync to cloud, be it iCloud, OneDrive, whatever, it's only with Enterprise versions of these (like Office 365 for Business or Dynamics CRM) that carry GDPR statements. Regular folks for whom these services are not financially viable are left with cloud that could be anywhere ... outside of the EEA to be presumed and therefore in breech of the GDPR. The person at the ICO said this was between her and her provider.

4. Apps. WhatsApp, for example, to communicate with customers, send/receive information and so on holds data outside of the EEA. I'm going to guess iMessage, too. Hang it all, perhaps the mobile phone provider uses storage outside of the EEA and she'll be unwittingly in breech. The person at the ICO said this was between her and her mobile phone provider.

5. Customers that request that she send data to them while they are outside of the EEA. It happens. Is that in breech? The person at the ICO did not know.

6. Say a customer exercises their right to be forgotten and she removes all that data, information, invoices, etc ... and then has a HMRC audit, they'll find missing documents. She could fabricate an entire business and say it was all removed under GDPR. The person at the ICO said that would be for her to work out with the HMRC.

7. Malicious intent. Say she wanted to get rid of all her competition, all she needs to do on the 26th May is visit all competitors' websites and then request her data. Cookies are data. When they reply "Que?", she reports the lot to the ICO and draws them into litigation. The person at the ICO agreed that this was possible. Spun the other way around, what's to stop competitors doing this?

How are folks dealing with GDPR? As I said at the top, she ensures consent for cookies, for data submitted through web forms and has a privacy statement in effect on her website along with notice on forms as to what, why and what will happen to data submitted. She has a data map - knows where all data comes in, where it is, where it goes and who it is shared with.

What we're struggling on is the questions above - it seems to cover herself, she's going to need a Solicitor to go through the privacy statement, engage with a business account for web hosting, buy into Enterprise level agreements for Office 365/Cloud hosting and so on and so on ...

Seems to me the reason GDPR is coming in (see Facebook and the recent Cambridge Analytica debacle) is actually going to cause most headaches for the small business and Sole Trader while the big boys continue to thumb their noses at this sort of thing.

i'm a sole trader through my own limited company, but the majority of my business (IT Consulting) is business to business and I hold very little private data. Where my work requires access to clients' personal data I now only use their IT equipment and abide by their processes.

As for web hosting, I would advise having a business account (Enterprise in the MS sense is unlikely to be suitable for a sole trader) anyway. Typically they will confirm data hosting location.

I believe for anyone hosting applications on MS Azure that there is an EU only option for data hosting.

Office365? - good luck there!

If I were doing B2C and/or a lot of marketing then it's going to be a paper chase to demonstrate compliance with the six principles.

I can tell you that in my experience "the big boys" are spending a lot of time and money ensuring compliance with GDPR. One of my clients, a UK FTSE 100, has a major project to implement and demonstrate compliance.

She has a good privacy policy that ticks all the boxes from the ICO guidance (in fact, not massively dissimilar to the ICO's itself), just two web forms which inform, request consent explicitly and link to the privacy policy along with details of who to contact to retrieve, remove or amend data that she holds. She has a data map, dates of when items were gleaned, has a process for mitigating risk in the event of a breech and has all this written down. I've found out since that her hosting is UK located - it's a business package. Data on the server (from web forms) and email on their web servers remains in the UK.

The last bit of the puzzle is simply offsite/cloud backup for the purposes of disaster recovery and business continuity - keeping that in the EEA is the puzzle. At the moment, it's on OneDrive with an Office 365 subscription. As you say @Miles Teg it's not until you're on Azure that you can specify geographic location for rest data. Dropbox are very keen to say they're GDPR compliant, but I need to figure out whether that's okay for the personal - it'd do. Her entire data footprint is only a mere couple of hundred meg!

Points of issue are what she does with existing data. She has (personally) received re-consent emails from things she's signed up to and simply put, it confused her. For her to do just that to all her customers would no doubt put them all in a panic. When it's quite obvious that none of her competitors are doing anything at all about this, it's a risk for her (alone) to do something like that and upset her customers. That's something to ponder ...

Maybe I'm completely overthinking this ...

After all, the reason for this is to rail against the sort of cavalier attitudes that "the big boys" take to our personal information. That said, the folks who are likely to find the first set of fines are likely to be small businesses and sole traders for whom turnover simply does not warrant the kind of money that seemingly needs spending to assure that compliance is met.

I'm pretty happy with where she's at with this, but it's always that final detail that gets you nailed. Alas, the ICO themselves were somewhat less than helpful.

I think it's much more likely the ICO will go for a trophy fine on some middle to big size organisation early doors to set an example. I can't imagine they have the resource to fine micro businesses on small points of compliance.
In our business we view the main risk as a disgruntled customer using this as a stick to beat you with - but that's as it ever was...
You sound like you're on top of things

The ICO have been literally less than helpful. I ask questions, I get a URL pointing to some sort of guidance which I've already read ... I say that and say that the document does not answer my question and I get told I'm asking awkward questions. Well, duh! Yes! That's why I'm contacting them.

I've had really useful information from her web hosting company - UK2. I really can't fault their support service - it's easy to get in touch and they always reply in a timely manner. Their responses to questions about geolocation of servers and so on has been really useful and springboards to talking more generally about GDPR.

British Fencing also has a really good set of resources as I've got that headache to come as Chairman of our local fencing club. Thankfully we do have a DPO who has done a lot of the work, but I still have to steer it. I'm cribbing a lot of that for Mrs' business.

Yes, you're absolutely right @Antonio and a contract forms a legal basis for processing information. I've just had to tweak one of her data flows so that enquiries are left in the form that they were sent in (web form email, direct email, text, phonecall notes) until an initial meeting has taken place and she has been contractually engaged. At that point she can put the information into her customer database.

Cheers! Yes, I'm thinking much the same, although from competitors. Thankfully, absolutely NONE of her competitors within 50 miles have any hint that they're considering GDPR from anything on their websites. I did pose the question to the ICO that come the 26th May, she could visit these websites (cookies), make a request to see the information held about her and when they don't come back with it report them all to the ICO. ... and so any of those people could try the same against her.

Thankfully, her business is simple. Really simple. Any request could be fulfilled within seconds. Yes, details of how to make the request are in her privacy policy on her website.

But, phew! What a lot of work ... and this much thinking, rethinking, documenting, considering, all so out of scale for the size and scope of business here. To cover everything, I've also written a GDPR Compliance Statement detailing compliance (with examples) from the website, the privacy policy, data map, data flows, evidence of location of servers, evidence of location of backup/offline/cloud servers, evidence of password protection, risk mitigation ... yes, I'm on top of this but I really don't like the idea that I might have missed something so simple.

I've followed the spirit of the advice given by the ICO and what I've produced does tick all the boxes. I just don't want to be strung up by some detail that I've missed or something I've not understood, especially in the wording and definition ...

Indeed! The world didn't end and for a brief period the internet (certainly from the US) looked like a reboot of 1995. Loads of US sites simply closing off Europe or offering limited access. The Arizona Times, for example, gave a text only version with no pictures, no adverts, no flash, nothing ... ran spectacularly fast, like Usenet (that's like Reddit, but a generation or more ago).

No, it's a seriously big deal! So much so that many global companies simply refused access from the EU while they sorted their house out in a bit of a panic. It's no doubt going on today and will continue for some time.

In a nutshell, it's a rough sketch and folks just don't know how to approach it. In our case, Mrs has a simple business setup but it's been a LOT of work. I know from my actual work (NHS) that it's a literal nightmare. For GPs, it's a lost revenue stream as they could previously charge for you to see your patient record - now you have an actual right and charging you is a thing of the past. GPs were taking a bit of a hit yesterday.

Of course, like all laws, it won't actually stop those who flout them anyway ... so the criminal thugs at the top of the food chain will continue to do whatever they want with our data, citing "prove it". Regular folks are the ones who will fall foul of silly technicalities.